Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


Zen Section

Table of Contents



Atlassian applications (Confluence, JIRA, Crowd, FishEye, etc..) have no out-of-the-box support for single sign-on in an Active Directory environment.

What does it do?

Enables your Active Directory provisioned users to log into their desktops and automatically be authenticated into Atlassian Confluence, JIRA or any other Atlassian product. 

How do we do it, generally?

There are three major components with AppFusions' Kerberos SSO Authenticator for Atlassian applications.

  1. The AD Domain Controller and Key Distribution Center (KDC) which is responsible for distributing Kerberos tickets within the intranet that client workstations and servers are part of.
  2. The AppFusions Kerberos authentication filter will then process all incoming request and handle Kerberos protocol, including negotiation and validation of the Kerberos ticket. Once the ticket is obtained and verified, the request will be passed onto ... 
  3. The AppFusions Seraph authenticator, which will authenticate and log the user into Confluence.

There is a fourth optional component that ties into the authentication filter, to provide pattern based URL processing, determining if any special URL patterns should be excluded from the authentication process.

Which flavor is right?

All Atlassian products: Confluence, JIRA, FishEye, Crucible, Bitbucket (formerly Stash), Bamboo, Crowd, SVN





Available Now?



Windows and Linux-based network






Windows-only network






Reverse proxy in network






External users and Linux




with customizations



Email us

Email us



What is the process?

Implementing the authenticator in your network is a multi-step process, requiring light consulting via AppFusions. The process has been repeated over and over by our engineers in different environments, and pleased to say that it is fairly methodical/streamlined efforts, even with unique configurations for all deployments; it just works.

Here are the steps, in general:

  1. Complete the AppFusions AD SSO Network Pre-Qualifier Questionaire by copying the questions into email and replying to AppFusions.
  2. We will reply, if any questions, and/or reply with a "quote to pay" to kick off the effort. 
  3. Set up a staging environment for initial deployment. Since this is login-affecting, we do not deploy on production systems at first. We deploy on your staging with your assist, and you will do the production system, now that you know how (and have documentation to do it.)
  4. Kick off. The process is usually about a week of back and forth between our team and you network and AD admins. This is managed through a Confluence space that we allocate to you, so we can also have a running set of notes. 
titleMoney Back Guarantee

If for ANY reason AppFusions is not able to deploy to your site, AppFusions provides a money back guarantee within 30-days of purchase. (To date, we have not had to provide a refund.) 

Your AppFusions AD Login Authenticator is licensed and includes maintenance updates for one year.

titleCommunity Licenses and Open Source Licenses

This solution does not include free support. AppFusions will issue you an online pay quote per listed commercial prices.

Deployment Steps

The steps for deployment are:

  1. Install the AppFusions AD Login Authenticator (from the Marketplace)
  2. Install the AppFusions Sereph Security Framework Module provided by AppFusions
  3. Implement Server Configurations per AppFusions provided guidance (these are specific to your network and environment).
  4. Implement AD configurations (Kerberos only) per AppFusions provided documentation and guidance.
  5. If applicable, implement customizations per AppFusions provided documentation and guidance.
titleAt 60, 30, and 15 days prior to expiry, AppFusions will email you about renewal.

After expiry, a note will be displayed that the SSO authenticator has expired. Please contact your administrator for renewal or updates. If you do not renew, users can still long into Confluence with default authentication, but updates will not be allowed unless renewed.

FAQ (Frequently Asked Questions)

1) Is it possible to have it function between an externally hosted Confluence site and our own internal domain? If so, what are the requirements?

We have done this working closely with our hosting data center. Requirements are:

  • Confluence site must be in DNS as an A record
  • Confluence site must be able to connect to Kerberos ports. This is done with a secure tunnel configured back to your home office.

2) Can it support multiple domains? We have a two-way read only trust with another domain, and we need a solution that will support users from the trusted domain as well.

We have done multiple domains from different forests.
Customer needs to make sure that usernames from the two domains do not clash since Confluence does not track from what domains the users are.